Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches
Planning an ACL Application on a Series 3400cl or Series 6400cl Switch
â– Every IP address and mask pair (source or destination) used in an
ACE creates one of the following policies:
• Any IP address fits the matching criteria. In this case, the switch
automatically enters the IP address and mask in the ACE. For exam-
ple:
access-list 1 deny any
produces this policy in an ACL listing:
IP Address Mask
0.0.0.0 255.255.255.255
This policy states that every bit in every octet of a packet’s SA is a
wildcard, which covers any IP address.
• One IP address fits the matching criteria. In this case, you provide
the IP address and the switch provides the mask. For example:
access-list 1 permit host 18.28.100.15
produces this policy in an ACL listing:
IP Address Mask
18.28.100.15 0.0.0.0
This policy states that every bit in every octet of a packet’s SA must
be the same as the corresponding bit in the SA defined in the ACE.
• A group of IP addresses fits the matching criteria. In this case
you provide both the IP address and the mask. For example:
access-list 1 permit 18.28.32.1 0.0.0.31
IP Address Mask
18.28.32.1 0.0.0.31
This policy states that:
– In the first three octets of a packet’s SA, every bit must be set the
same as the corresponding bit in the SA defined in the ACE.
– In the last octet of a packet’s SA, the first three bits must be the
same as in the ACE, but the last five bits are wildcards and can
be any value.
â– Unlike subnet masks, the wildcard bits in an ACL mask need not be
contiguous. For example, 0.0.7.31 is a valid ACL mask. However, a
subnet mask of 255.255.248.224 is not a valid subnet mask.
10-32
To Next Page
Loading...
Need help?
General